OK here is my topology. I have two silicon mechanics servers running debian linux (Lenny 5.0) with keepalived for redundancy and iptables for routing, (I have enabled packet forwarding, nat, and default routes) I have two ExtremeNetworks Summit x450a L3 switches. I have 10 tagged vlans. Tagged vlan 100, 103, and native vlan 1, Work fine over the vpn. Openvpn pushes my routes to the client
(Route 1 id 100 172.16.100.0/24,
Route 2 id NA, *.*.*.*/24 public class c,
route 3 id 101, 192.168.100.0/24)
route 4 id 103, 10.10.0.0/16)
and the client can ping the servers and hosts on the other side which are also using vlan tagging at the endpoint (Sun link aggregate taqgged vlan devs), and can ping other hosts on my class C public network which is setup on native vlan 1 on all ports, these are not using tagged endpoints.

The problem: Sun iLom network settings do not support vlan tagging so I connected a layer2 switch to all of my netmng ports on the sun servers where the ilom is. I cascaded that switch to switch port 6 on my EN switch and removed tagging from that port, so port 6 is member of vlan id 101 untagged. The routers have interfaces attached to tagged vlan 101, on the same subnet 192.168.100.0/24, and from the routers I can ping and connect to the iloms over the L2 and L3 switch with this configuration. But I cannot over the vpn. From the vpn I can ping the gateway ip 192.168.100.3 (from vpn client network 10.15.0.6) I cannot ping however anything past the gateway on that one network, the switch vlan is setup with an ip of 192.168.100.1, and that is where I set the default gateway in the L2 config, and I turned on packet forwarding at the switch to forward to the router, but still no go.

TCP dump shows the pings coming in from the vpn on the correct interface but no response from destination host, though it should be getting there, I think its just not coming back correctly.

Well I have been having some trouble compiling. Solaris 10 build 5. I guess I should put some more effort into that. But It seems I just figured out it is definately a routing issue because I went ahead and added an aggregate vlan device on the offending vlan on the server directly and I still cannot ping it from the vpn either and it is directly attached to the extreme networks switch on the tagged vlan. I can access from the router but not the vpn. I don't understand why though as you can see above my routing for vlan 100 is the same as vlan 101 and I can access 100 from the vpn just fine.

nimnull22

03-15-2010 10:27 PM

As I understand - VPN, act like router, remote gateway, and can easily change IP. When you do ping packets should go back by the same way. Can you telnet something through VPN on your server.